The GDPR, or General Data Protection Regulation, is the most ambitious overhaul of data privacy in 20 years. When it is enforced from May 25th 2018, it will dramatically impact how people live and work.
Even though it’s been almost two years, since the changes were announced and put into law, it may just now be on your radar. If your organisation hasn’t made strides towards becoming compliant with the new regulation, you’re already behind. Here’s everything you need to know:
What is the GDPR?
The GDPR is meant to replace the previous, outdated data protection regulation. Before, the laws were created when the digital age barely existed. Now, almost everything that we do requires the use of digital technology, whether it is communicating on social media or checking online banking.
However, those services also collect and leverage user data. The GDPR’s goal is to protect consumer privacy and address business’ reliance on data in the digital age.
What Does It Mean For You and Your Business?
Even businesses that operate outside of the European Union (EU), may be affected by the new regulations. Organizations that collect data on any citizens within the EU, regardless of whether they conduct business there, will be required to comply with the rules laid out by the GDPR. What are those rules and changes? Here are some of the three most important:
- Data roles and responsibilities: The GDPR states that controllers and processors are liable for meeting data standards. Simply put, controllers are the decision makers. They decide the means and purposes for collecting data (banks or retailers). Processors are the ones that collect and store data (third-party agencies or data centers). For companies that process extensive amounts of data, the GDPR requires a Data Protection Officer to act as the point person.
- The types of data protected: Basic identity information like name and address already were protected, but now, details like cookie data, IP addresses, sexual orientation, race and political opinions fall under the same umbrella of protection.
- Data breaches: If an organisation has a data breach, the GDPR outlines a 72-hour notification period. As an individual, that means organisations that are affected are required to notify you when you’re affected.
Not complying with the GDPR could result in serious penalties, fines, and even lead to a company’s downfall. The severity of the penalty or fine for a data breach may vary depending on the context, extent of damage, number of individuals affected, and whether or not preventative measures were taken. At the upper level, fines could reach up to €20 million, or 4% of the worldwide annual revenue.
Organisations at all levels, can’t afford to be non-compliant. In fact, in a 2017 PwC survey, nearly 92% of participants considered compliance with GDPR as a top priority for their business’ data and security. Over half said it was the top priority. In the same survey, 68% of companies based in the U.S. expected to spend $1 million to $10 million to complying with the updates. The cost may seem great, but compared to the risks and costs that will be associated with noncompliance, it is minimal.